Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

Page created by Barry Warren

Uncategorized

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Cybercrime: Conceptual Issues for Congress
and U.S. Law Enforcement

Kristin Finklea
Specialist in Domestic Security

Catherine A. Theohary
Specialist in National Security Policy and Information Operations

January 15, 2015

                                                   Congressional Research Service
                                                                         7-5700
                                                                    www.crs.gov
                                                                          R42547

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

Summary
Twenty-first century criminals increasingly rely on the Internet and advanced technologies to
further their criminal operations. These criminals can easily leverage the Internet to carry out
traditional crimes such as distributing illicit drugs and sex trafficking. In addition, they exploit the
digital world to facilitate crimes that are often technology driven, including identity theft,
payment card fraud, and intellectual property theft. Cybercrimes have economic, public health,
and national security implications, among others. For over three decades, Congress has been
concerned about cybercrime and its related threats. Today, these concerns often arise among a
larger discussion surrounding the federal government’s role in ensuring U.S. cyber security.

Conceptualizing cybercrime involves a number of key elements and questions that include where
do the criminal acts exist in the real and digital worlds (and what technologies are involved in
carrying out the crimes), why are malicious activities initiated, and who is involved in carrying
out the malicious acts?

• One way of viewing cybercrimes is that they may be digital versions of
traditional, real world offenses. They could be considered traditional, or “real
world,” crimes if not for the incorporated element of virtual or cyberspace. In
some instances, however, it may seem that law enforcement struggles to keep up
with developments in the virtual world, which transform routine activities once
driven by paper records in the real world. As a result, criminals are often
prosecuted using laws intended to combat crimes in the real world.
• The distinction between cybercrime and other malicious acts in the virtual realm
is the actor’s motivation. Cyber criminals can exhibit a wide range of self
interests, deriving profit, notoriety, and/or gratification from activities such as
hacking, cyber stalking, and online child pornography. Without knowing the
criminal intent or motivation, however, some activities of cyber criminals and
other malicious actors may appear on the surface to be similar, causing confusion
as to whether a particular action should be categorized as cybercrime or not.
When referring to cybercrime incidents, terms such as cyber attack, cyber
espionage, and cyber war are often loosely applied, and they may obscure the
motives of the actors involved.
• Criminal attribution is a key delineating factor between cybercrime and other
cyber threats. When investigating a given threat, law enforcement is challenged
with tracing the action to its source and determining whether the actor is a
criminal or whether the actor may be a terrorist or state actor posing a potentially
greater national security threat. This is highlighted by examining the online
collective known as Anonymous. Some refer to Anonymous as a group of online
activists, others see the collective as a group of criminal actors, and still others
have likened it to online insurgents.
The U.S. government does not appear to have an official definition of cybercrime that
distinguishes it from crimes committed in what is considered the real world. Similarly, there is
not a definition of cybercrime that distinguishes it from other forms of cyber threats, and the term
is often used interchangeably with other Internet- or technology-linked malicious acts. Federal
law enforcement agencies often define cybercrime based on their jurisdiction and the crimes they
are charged with investigating. And, just as there is no overarching definition for cybercrime,

Congressional Research Service

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

there is no single agency that has been designated as the lead investigative agency for combating
cybercrime.

Congress may question whether it is necessary to have a clear definition of what constitutes
cybercrime and what delineates it from other real world and cyber threats. On one hand, if the
purpose of defining cybercrime is for investigating and prosecuting any of the various crimes
under the broader cybercrime umbrella, it may be less critical to create a definition of the
umbrella term and more imperative to clearly define which specific activities constitute crimes—
regardless of whether they are considered real world crimes or cybercrimes. On the other hand, a
distinction between cybercrime and other malicious activities may be beneficial for creating
specific policies on combating the ever-expanding range of cyber threats. If government agencies
and private sector businesses design strategies and missions around combating cybercrime, it may
be useful to communicate a clear definition of cybercrime to those individuals who may be
involved in carrying out the strategies.

The United States does not have a national strategy exclusively focused on combating
cybercrime. Rather, there are other, broader strategies that have cybercrime components (a
selection of which are presented in the Appendix). Policy makers may question whether there
should be a distinct strategy for combating cybercrime or whether efforts to control these crimes
are best addressed through more wide-ranging strategies such as those targeting cyber security or
transnational organized crime. Congress may also question whether these broader strategies
provide specific cybercrime-related objectives and clear means to achieve these goals.

Comprehensive data on cybercrime incidents and their impact are not available, and without exact
numbers on the current scope and prevalence of cybercrime, it is difficult to evaluate the
magnitude of the threats posed by cyber criminals. There are a number of issues that have
prevented the accurate measurement and tracking of cybercrime. For one, the lack of a clear sense
of what constitutes cybercrime presents a barrier to tracking inclusive cybercrime data.
Additionally, much of the available data on cybercrime are self-reported, and individuals or
organizations may not realize a cybercrime has taken place or may elect—for a host of reasons—
not to report it. Policy makers may debate whether to direct a thorough evaluation of the threats
posed by cyber criminals.

Congressional Research Service

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

Contents
Background ...................................................................................................................................... 1
Conceptualizing Cybercrime ........................................................................................................... 2
Where: Location of Criminal Activities, Actors, and Victims ................................................... 2
Technology: Cyber vs. Real World Crime........................................................................... 3
Borders and Cyberspace ...................................................................................................... 5
Why: Motivation ....................................................................................................................... 6
Blurring Lines Between Cybercrime and Related Threats .................................................. 7
Who: Attribution...................................................................................................................... 11
Government Definitions and Agency Focus ............................................................................ 15
Is a Definition Needed? ........................................................................................................... 16
Strategies and Cybercrime ............................................................................................................. 17
Measuring and Tracking Cybercrime ............................................................................................ 18
Moving Forward ...................................................................................................................... 20

Appendixes
Appendix. Existing Strategies and Cybercrime ............................................................................. 22

Contacts
Author Contact Information........................................................................................................... 27

Congressional Research Service

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

Background
Twenty-first century criminals increasingly rely on the Internet and advanced technologies to
further their criminal operations. According to Europol’s Organized Crime Threat Assessment,
“Internet technology has now emerged as a key facilitator for the vast majority of offline
organised crime activity.”1 For instance, criminals can easily leverage the Internet to carry out
traditional crimes such as distributing illicit drugs and sex trafficking. In addition, they exploit the
digital world to facilitate crimes that are often technology driven, including identity theft,
payment card fraud, and intellectual property theft. The Federal Bureau of Investigation (FBI)
considers high-tech crimes to be the most significant crimes confronting the United States.2
Policy makers have shown an increasing interest in ensuring the federal government has the tools
and capabilities to combat modern day crime—particularly those with cyber components—while
safeguarding privacy rights.3

Today’s cyber criminals “have evolved their practices to make their crimes more profitable....
[T]hey choose specialties, master their skills, create networks of colleagues, and organize their
crimes.”4 These criminals can victimize individuals and organizations alike. They are motivated
by self interest and profit. One estimate has placed the annual cost of cybercrime to adults in 24
countries across the globe at $113 billion.5 In addition to the economic impact, cybercrimes can
have public health and national security consequences, among others.

U.S. officials face the challenging task of identifying the perpetrators of malicious cyber incidents
in which victim and criminal can be far removed from one another. The person or persons behind
an incident can range from lone actors to expansive criminal networks or even nation states. This
challenge of actor attribution is further compounded by the anonymity afforded by the digital
realm. It can sometimes be difficult to determine the actor’s motivation—is the criminal driven by
greed or glory in the form of recognition among fellow criminals in the cyber world, or does the
criminal have broader ideological motives? Finding the answers to these questions is key to
distinguishing between cybercrimes and other cyber threats such as cyber attacks, cyber
espionage, and cyber warfare. Relevant distinctions exist between these various malicious
activities in the cyber domain just as lines have been drawn between their real world counterparts.

For over three decades, Congress has been concerned about cybercrime and its related threats.6
Today, these concerns often arise among a larger discussion surrounding the federal government’s

1
Europol, EU Internet Organized Threat Assessment: iOCTA 2011, File No. 2530-274, April 28, 2011, p. 6.
2
See remarks by James B. Comey, Director, Federal Bureau of Investigation before the RSA Cyber Security
Conference, San Francisco, CA, February 26, 2014. Hereinafter: Comey, RSA Cyber Security Conference.
3
See, for example, U.S. Congress, Senate Committee on the Judiciary, Privacy in the Digital Age: Preventing Data
Breaches and Combating Cybercrime, 113th Cong., 2nd sess., February 4, 2014.
4
Steven R. Chabinsky, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation, GovSec/FOSE
Conference, Washington, DC, March 23, 2010. Hereinafter: Chabinsky, GovSec/FOSE Conference.
5
Norton, Symantec Corporation, “2013 Norton Report: Cost per Cybercrime Victim Up 50 Percent,” press release,
October 1, 2013. This $113 billion is the self-reported direct financial losses to cybercrime.
6
The original version of the Computer Fraud and Abuse Act was passed as part of the Comprehensive Crime Control
Act of 1984 (P.L. 98-473). Prior to this, hearings were held over several Congresses. For more information, see CRS
Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal
Criminal Laws, by Charles Doyle.

Congressional Research Service 1

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

role in ensuring cyber security. This report discusses the concept of cybercrime and related cyber
threats such as cyber espionage and cyber warfare. While it touches on these related threats, this
report only does so in the context of framing the discussion of cybercrime.7 It questions
whether—and under what circumstances—clear distinctions between the various threats should
be delineated. The report also outlines how current federal strategies may address cybercrime. It
raises issues surrounding the measurement and tracking of cybercrime. Throughout, it discusses
whether a clearer understanding of what constitutes cybercrime as well as its prevalence and harm
could better equip policy makers to debate the sufficiency of federal law enforcement resources
available to counter cybercrime and to conduct oversight in this arena.

Conceptualizing Cybercrime
A singular, agreed-upon definition of cybercrime does not exist. Various definitions have been
offered by industry experts and scholars, and several have been formulated within the federal
government. Definitions have varied in their levels of specificity and breadth. For instance, one of
the largest computer security companies, Symantec Corporation, defines cybercrime as “any
crime that is committed using a computer or network, or hardware device.”8 Irrespective of the
definition, conceptualizing cybercrime involves a number of key elements and questions,
including where do the criminal acts exist in the real and digital worlds (and what technologies
are involved), why are malicious activities initiated, and who is involved in carrying out the
malicious acts? In the sections below, the questions of where, why, and who are discussed as they
relate to cybercrime. This is followed by a discussion of government definitions of cybercrime
and a debate on whether or when a common definition of cybercrime may be useful.

Where: Location of Criminal Activities, Actors, and Victims
The notion of location as it relates to cybercrime involves both the physical and digital domains.
The relatively clear borders and locations within the physical world, however, are not replicated
in the virtual realm. Of course, some distinct boundaries separate the physical and the cyber
worlds; keyboard, mouse, screen, and password can all mediate between these physical and
virtual realms.9 Within cyberspace, however, the notion of a border is much more nebulous. This
is, in part, because the same geographic borders that exist in the real world do not exist in the
cyber world.10

Even without distinct borders, the digital world is linked to the physical world—as is crime
involving the digital world. Take, for instance, point-of-sale (POS) skimming. This high-tech
financial fraud involves placing a device over (or sometimes replacing) an existing card slot on a
credit card reader or ATM. The device “relies on sophisticated data-reading electronics to copy
the magnetic stripe information from [the] credit card or debit card. It can capture both [the]

7
For more information on cyberwarfare and other cybersecurity issues, see CRS Report RL31787, Information
Operations, Cyberwarfare, and Cybersecurity: Capabilities and Related Policy Issues, by Catherine A. Theohary.
8
Symantec Corporation, What is Cybercrime?, http://us.norton.com/cybercrime-definition.
9
David R. Johnson and David Post, “Law and Borders - The Rise of Law in Cyberspace,” Stanford Law Review, vol.
48 (May 1996), p. 1379.
10
Ibid., p. 1370.

Congressional Research Service 2

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

credit card number and [the] PIN.”11 Fraudsters can then retrieve the stolen information by
physically collecting the skimming device or by programming the device to broadcast the data to
thieves over a network.

Researchers have proposed that some cybercrimes may require more technological expertise or
heavier use of digital technologies to perpetrate than others.12 For example, phishing,13 identity
theft, and distributed denial of service (DDoS)14 attacks necessitate a greater understanding of
computing and digital technologies than others, such as cyber stalking and online child
pornography, that can be thought of as “point and click” crimes. Those crimes requiring more
technological expertise may also be more firmly rooted in the virtual world than others.
Regardless, the cyber component may delineate them from traditional crimes. Computers and
other advanced technologies may be components of cybercrime through a variety of roles:

• in some cybercrimes, computers themselves—or data contained therein—are the
victims or targets of crime;
• in other instances, computers or other digital technologies are used as tools for
carrying out crimes (victimizing individuals, organizations, or government); and
• technological devices may serve as repositories for evidence of a cybercrime.15
All of these issues underscore the salience of location in any conceptualization of cybercrime.

Technology: Cyber vs. Real World Crime
Perhaps one way of viewing cybercrimes is that they are digital versions of traditional offenses.16
It appears that many cybercrimes could be considered traditional, or real world, crimes if not for
the incorporated element of virtual or cyberspace. Indeed, many of these so-called cybercrimes
can be easily likened to traditional crimes. For instance, identity theft can occur in both physical
and cyber arenas. While these crimes may occur through differing mechanisms, in both
circumstances the criminal intent (profit) and outcome (stolen personally identifiable information)
are the same.

11
Robert Vamosi, “Keep Your Credit Cards Safe From Skimmers,” PC World, December 8, 2010.
12
Sarah Gordon and Richard Ford, “On the definition and classification of cybercrime,” Journal of Computer Virology,
vol. 2 (July 2006), pp. 15 – 19.
13
Phishing “is a technique used to gain personal information for purposes of identity theft, using fraudulent e-mail
messages that appear to come from legitimate businesses. These authentic-looking messages are designed to fool
recipients into divulging personal data such as account numbers and passwords, credit card numbers and Social
Security numbers,” Computerworld, January 19, 2004, http://www.computerworld.com/s/article/89096/Phishing.
14
A denial-of-service attack attempts to prevent legitimate users from accessing a resource – in this case a network or
website. This is most commonly done by “flooding” a network with information and overloading the server with so
many requests for information that it cannot process other, legitimate requests. A distributed denial-of-service (DDoS)
attack utilizes other computers—often from unwitting individuals—to assist in flooding a network. For more
information, see the U.S. Computer Emergency Readiness Team, http://www.us-cert.gov/cas/tips/ST04-015.html.
15
According to the Homeland Security Newswire, “[t]he ubiquity of this [electronic] technology [such as cell phones
and computer files] has often provided investigators with an electronic trail that gives prosecutors concrete analytical
evidence for nearly every crime.” “An Electronic Trail for Every Crime,” Homeland Security Newswire, April 19,
2011, http://homelandsecuritynewswire.com/electronic-trail-every-crime.
16
Susan Brenner, “Thoughts, Witches and Crimes,” CYB3RCRIM3: Observations on Technology, Law, and
Lawlessness, May 6, 2009, http://cyb3rcrim3.blogspot.com/2009/05/thoughts-witches-and-crimes.html.

Congressional Research Service 3

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

• In the real world, a criminal can steal a victim’s wallet or mail including
documents containing personally identifiable information. In one case from
March 2014, two defendants were charged for their role in a conspiracy to “steal
mail containing credit debit cards.... The defendants then used the stolen debit
cards to obtain cash, without the knowledge or authorization of the identity theft
victims.”17 In another case, two men were sentenced for leading a criminal
enterprise that stole credit and debit cards from mailboxes in affluent
neighborhoods in South Florida. The thieves then used the cards to make large
purchases and cash withdrawals from the cards, costing victims $786,000.18
• In the cyber world, a computer hacker can easily steal this same PII—
electronically rather than physically. In September 2013, two Romanian nationals
were sentenced for “participating in an international, multimillion-dollar scheme
to remotely hack into and steal payment card data from hundreds of U.S.
merchants’ computers.” Defendants remotely hacked into POS systems and then,
also remotely, installed “keystroke loggers.” These devices illegally captured
victims’ credit card information when the cards were swiped by the merchants,
and then this information was transferred electronically to the fraudsters. The
defendants stole information from more than 100,000 victims and sold this
information for a profit.19
In some instances, it may seem that law enforcement struggles to keep up with developments in
the virtual world, which transform routine activities once driven by paper records in the real
world. As a result, criminals are often prosecuted using laws intended to combat crimes in the real
world. As Department of Justice (DOJ) officials have pointed out, federal laws to prosecute
computer-related crimes are not necessarily as ample or broad as those used to confront their
traditional counterparts.20 For instance, computer fraud (18 U.S.C. §1030) is not currently
considered a predicate offense for racketeering under the Racketeer Influenced Corrupt
Organizations (RICO) Act—one of the primary tools used to prosecute organized crime.21 As
noted, organized criminals are increasingly using the Internet and other advanced technologies to
carry out their operations. Yet, the range of crimes carried out by organized crime encompasses
both traditional and cybercrimes. The Obama Administration has recommended revising RICO
provisions (which can be applied to both criminal and civil cases) so that computer fraud would
be considered a predicate offense.22 Cyber criminal organizations have been targeted under civil

17
U.S. Attorney’s Office, Southern District of Florida, “Twenty-Five Defendants Charged in Separate Schemes That
Resulted in Thousands of Identities Stolen and Millions of Dollars in Identity Theft Tax Filings,” press release, April 3,
2014.
18
U.S. Department of Justice, “Two Wellington Men Sentenced in Mail and Aggravated Identity Theft Ring,” press
release, April 26, 2011; Wayne K. Roustan, “Two Plead Guilty to ID Theft That Cost Victims $786,000: They Admit
Stealing Credit and Debit Cards from Mailboxes,” February 12, 2011.
19
U.S. Department of Justice, “Two Romanian Nationals Sentenced to Prison for Scheme to Steal Payment Card
Data,” press release, September 14, 2013.
20
Statement for the Record of James A. Baker, Associate Deputy Attorney General, Department of Justice before the
U.S. Congress, House Committee on the Judiciary, Subcommittee on Crime, Terrorism, and Homeland Security,
Cybersecurity: Innovative Solutions to Challenging Problems, 112th Cong., May 25, 2011, http://judiciary.house.gov/
hearings/pdf/Baker05252011.pdf.
21
For more information on RICO, see CRS Report 96-950, RICO: A Brief Sketch, by Charles Doyle. The predicate
offenses for racketeering include a host of state and federal crimes listed in 18 U.S.C. §1961.
22
The White House, Law Enforcement Provisions Related to Computer Security, May 12, 2011, p. 2,
http://www.whitehouse.gov/omb/legislative_letters. Legislation (e.g., the Cyber Crime Protection Security Act, S.
(continued...)

Congressional Research Service 4

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

RICO, citing predicate offenses such as wire fraud, bank fraud, and access device fraud.23 It is
unknown whether or how adding computer fraud to the list of predicate offenses would further
these investigations and prosecutions.

• In June 2014, the GameOver Zeus botnet,24 was disrupted through an
international law enforcement effort led by the FBI. Law enforcement was
authorized to sever communication between infected computers and criminal
servers.25 GameOver Zeus is the most recent variant of the Zeus Botnet, which
would steal online banking information and transfer funds to money mules, or
U.S. residents with bank accounts, who would move the money out of the United
States. Officials also indicted an alleged administrator of GameOver Zeus,
“charging him with conspiracy, computer hacking, wire fraud, bank fraud, and
money laundering.”26

Borders and Cyberspace
Criminals operate in the cyber world partly to circumvent more conventional, established
constructs such as international borders.27 In the virtual realm, criminals can rely on relative
anonymity and a rather seamless environment to conduct business. High-speed Internet
communication has not only facilitated the growth of legitimate business, but it has bolstered
criminals’ abilities to operate in an environment where they can broaden their pool of potential
targets and rapidly exploit their victims. Between December 2000 and June 2014, the estimated
number of Internet users grew from almost 361 million to nearly 7.2 billion—an increase of more
than 741%.28 Frauds and schemes that were once conducted face-to-face can now be carried out
remotely from across the country or even across the world. Despite criminals exploiting virtual
space, the criminal actor and the victim(s) are located in the real world—though often in different
cities, states, or even countries. Similarly, the digital technologies used to facilitate these crimes,
such as Internet servers and digital communication devices, are located in physical locations that
may not coincide with the locations of the criminal actors or victims. As such, law enforcement
faces not only technological but jurisdictional challenges in investigating and prosecuting cyber
criminals.

(...continued)
2111) introduced in the 112th Congress would, among other things, make computer fraud and related crimes under 18
U.S.C. §1030 predicate offenses under RICO.
23
“Microsoft Takes Down Dozens of Zeus, SpyEye Botnets,” Krebs on Security, March 26, 2012. See also Microsoft
Corp., FS-ISAC, Inc., and National Automated Clearing House Association v. John Does 1-39, (U.S. District Court,
Eastern District of New York), http://www.zeuslegalnotice.com/images/Complaint_w_Appendices.pdf.
24
Botnets are groups of computers that are remotely controlled by hackers. They have been infected by downloading
malicious software and are used to carry out malicious activities on behalf of the hackers.
25
U.S. Department of Justice, “U.S. Leads Multi-National Action Against GameOver Zeus Botnet and Cryptolocker
Ransomware, Charges Botnet Administrator,” press release, June 2, 2014.
26
U.S. Department of Justice, “U.S. Leads Multi-National Action Against GameOver Zeus Botnet and Cryptolocker
Ransomware, Charges Botnet Administrator,” press release, June 2, 2014.
27
For more information on the issue of borders in cyberspace, see CRS Report R41927, The Interplay of Borders, Turf,
Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement, by Kristin Finklea.
28
Internet World Stats, Internet Usage Statistics, The Internet Big Picture, World Internet Users and Population Stats,
http://www.internetworldstats.com/stats.htm.

Congressional Research Service 5

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

Conceptualizing Cyberspace
In determining what constitutes cybercrime, it may be beneficial to outline what constitutes
cyberspace. After determining what constitutes the cyber realm, then boundaries for permissible
behavior—as it intersects with this space—can be outlined.

The National Security Presidential Directive 54/Homeland Security Presidential Directive 23
(NSPD-54/HSPD-23) defines cyberspace as “the interdependent network of information
technology infrastructures, and includes the Internet, telecommunications networks, computer
systems, and embedded processors and controllers in critical industries.” In other words,
cyberspace is the “virtual environment of information and interactions between people.”29 The
U.S. military has adopted a definition of cyberspace consistent with that laid out in NSPD-
54/HSPD-23. A recently published document of the Department of Defense defined cyberspace as
“[a] global domain within the information environment consisting of the interdependent networks
of information technology infrastructures and resident data, including the Internet,
telecommunications networks, computer systems, and embedded processors and controllers.” It
is unknown whether federal law enforcement also utilizes the definition of cyberspace—as
outlined in NSPD-54/HSPD-23—in its conceptualization of what constitutes cybercrime and for
purposes of cybercrime investigations and prosecutions.

As noted by one expert, cyberspace “is not a fixed, predetermined reality operating according to
principles and dynamics that cannot be controlled or altered by man. The cyberworld is a
constructed world, a fabrication. Because it is a construct, cyberspace is mutable; much of it can
be modified and transformed.”30 Criminal actors do not exist in cyberspace. Rather, they exist in
the physical world and their actions traverse the real world as well as cyberspace, impacting
victims in the real world. In this vein, criminals may rely upon cyberspace as a marketplace to
help carry out malicious activities, but they—and their victims—remain in the physical world.

Why: Motivation
The distinction between cybercrime and other cyber-based malicious acts such as terrorism or
state sponsored espionage is the actor’s motivation. Cyber criminals can exhibit a wide range of
self interests, deriving profit, notoriety, and/or gratification from activities such as hacking, cyber
stalking, and online child pornography. As one FBI agent specializing in cybercrime has
reportedly stated, “[h]acking into a company, whether it’s to put information on the web for
everyone to see or if you’re going to make money, is still hacking, it’s still a crime.”31 Without
knowing the criminal intent or motivation, however, some activities of cyber criminals and other
malicious actors may appear on the surface to be similar, causing confusion as to whether a
particular action should be categorized as cybercrime or not. As noted in the National Strategy to
Secure Cyberspace, “[t]he speed and anonymity of cyber attacks makes distinguishing among the

29
National Security Agency, Statement for the Record, Lieutenant General Keith Alexander, Commander, Joint
Functional Component Command for Network Warfare, Before the House Armed Services Committee, Terrorism,
Unconventional Threats, and Capabilities Subcommittee, May 5, 2009, http://www.nsa.gov/public_info/
speeches_testimonies/5may09_dir.shtml.
30
Susan W. Brenner, “Organized Cybercrime? How Cyberspace May Affect the Structure of Criminal Relationships,”
North Carolina Journal of Law & Technology, vol. 4, no. 1 (Fall), p. 37.
31
Dominic Rushe, “FBI Fights Back Against Cybercrime,” The Guardian, August 24, 2011,
http://www.guardian.co.uk/technology/2011/aug/24/us-agency-fights-back-against-cybercrime.

Congressional Research Service 6

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

actions of terrorists, criminals, and nation states difficult, a task which often occurs only after the
fact, if at all.”32 This challenge of attribution is discussed in detail in the section “Who:
Attribution.”

The FBI has noted three primary categories of cyber threat actors:

[1] organized crime groups that are primarily threatening the financial services sector, and
they are expanding the scope of their attacks; [2] state sponsors—foreign governments that
are interested in pilfering data, including intellectual property and research and development
data from major manufacturers, government agencies, and defense contractors; and [3]
increasingly there are terrorist groups who want to impact this country the same way they did
on 9/11 by flying planes into buildings. They are seeking to use the network to challenge the
United States by looking at critical infrastructure to disrupt or harm the viability of our way
of life.33

Of these three categories outlined by the FBI, the first—organized crime groups—focuses on
cybercrime. However, this category appears limited to those crimes that target the financial
services sector. While the second category includes the theft of intellectual property and other
activities that may be considered cybercrimes, this category is more roughly aligned with state-
sponsored espionage. As such, the FBI’s conceptualization of cybercrime surrounds the
activities—primarily financial—of organized crime groups. This may exclude lone actors
including hackers, stalkers, and online child predators. The FBI considers these malicious
activities under the umbrella of cybercrime, as discussed in the “Government Definitions and
Agency Focus” section of this report, but the classification noted above suggests that the FBI may
prioritize investigation of criminal organizations engaging in cybercrime over lone actors.

While there is a clear distinction that organized crime groups are motivated by profit and
terrorists are motivated by ideologies, the motivation of state sponsored cyber threat actors may
be more difficult to categorize and determine. This may be in part because different state
sponsored actors may have different motivations, as is implied by the FBI description of the range
of state sponsored cyber threats. For instance, some actors targeting the intellectual property of
manufacturers and corporations may aim to gain a competitive advantage for businesses based in
a particular country. Others actors seeking data from government agencies and contractors may
desire to utilize this information to undermine the integrity and security of a rival nation. This is
the distinction between the theft of trade secrets and the theft of state secrets. Nonetheless, in
some cases, state actors’ actions look much like those of profit-driven criminals.

Blurring Lines Between Cybercrime and Related Threats
When referring to cybercrime incidents, terms such as cyber attack and cyber war are often
loosely applied, and they may obscure the motives of the actors involved. Blurring of concepts
occurs in other areas as well. The terms cyber espionage or exploitation and cyber attack are often
used interchangeably, although they may refer to distinct sets of activities that are governed by
different laws, regulations, or strategies. However, there are areas where these activities may
overlap, causing confusion over the applicable governing structure. Experts have cautioned that

32
Department of Homeland Security, National Strategy to Secure Cyberspace, February 2003, p. viii,
http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf.
33
Federal Bureau of Investigation, The Cyber Threat: Part 1: On the Front Lines With Shawn Henry, March 27, 2012,
http://www.fbi.gov/news/stories/2012/march/shawn-henry_032712/shawn-henry_032712.

Congressional Research Service 7

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

overuse of the term cyber war or information warfare when referring to cybercrime may
sensationalize certain cybercrimes that are threats to public security but not necessarily threats to
national security.34

Organized Criminals in Cyberspace—A National Security Threat
Significant threats posed by cybercrime may be considered matters of national and economic
security. For instance, the White House, through the Strategy to Combat Transnational Organized
Crime (Strategy), has indicated that cybercrime “costs consumers billions of dollars annually,
threatens sensitive corporate and government computer networks, and undermines worldwide
confidence in the international financial system.”35 Criminal networks rely on cyber technologies
to carry out sophisticated frauds costing individuals and businesses billions of dollars. The
Strategy notes that over the course of one year, Central European cybercrime networks alone
have defrauded U.S. persons and businesses of about $1 billion.36

• In one case, members of a cybercriminal network (spanning countries including
Romania, the Czech Republic, the United Kingdom, and Canada) are alleged to
have participated in a cyber fraud scheme defrauding individuals making large
purchases on Internet marketplaces. The co-conspirators would reportedly post
items for sale, including “cars, motorcycles, boats, and other high-value items
generally priced in the $10,000 to $45,000 range. Unbeknownst to the buyers,
however, the merchandise did not exist.”37 They are suspected of duping their
victims out of more than $3 million.
• In another case, one network of hackers—from countries including Estonia,
Russia, and Moldova—reportedly hacked the RBS WorldPay computer network.
These individuals allegedly defeated the encryption used by RBS WorldPay to
protect customer information associated with the payroll card processing system.
Using counterfeit payroll debit cards—cards that allow employees to withdraw
their regular salaries from ATMs—the hackers and their associates withdrew
more than $9.4 million from over 2,100 ATMs across at least 280 cities around
the globe—including in the United States, Russia, Ukraine, Estonia, Italy, Hong
Kong, Japan, and Canada. Notably, the over $9 million loss occurred in under 12
hours. In October 2014, a leader of this network was sentenced “for conspiracy to
commit wire fraud and computer intrusion.”38

34
David L. Speer, “Redefining Borders: The Challenges of Cybercrime,” Crime, Law and Social Change, vol. 34, no. 3
(October 2000), p. 260.
35
The White House, Strategy To Combat Transnational Organized Crime: Addressing Converging Threats to National
Security, July 2011, p. 7, http://www.whitehouse.gov/sites/default/files/microsites/2011-strategy-combat-transnational-
organized-crime.pdf.
36
Ibid., p. 7.
37
U.S. Department of Justice, “Romanian National Aurel Cojocaru Extradited From Czech Republic To United States
To Face Charges Related To Multimillion Dollar International Cyber Fraud Scheme,” press release, November 7, 2013.
38
U.S. Department of Justice, “International Hacker Sentenced,” press release, October 24, 2014.

Congressional Research Service 8

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

Cyber Espionage—Profit vs. State Direction
Espionage conducted in cyberspace is in many ways akin to traditional forms of espionage, the
unauthorized access to confidential information by an individual or government. Illicit exfiltration
of networked information can be conducted for intelligence gathering purposes, financial gains,
or a combination of the two. Cyber espionage—particularly that which targets trade secrets—can
pose similar threats to national security. According to the Office of the National
Counterintelligence Executive, “[f]oreign economic collection and industrial espionage against
the United States represent significant and growing threats to the nation’s prosperity and
security.”39 Cyber espionage targeting trade secrets can be considered either distinct from, or a
form of, cybercrime depending upon the actor and the actor’s motivation. Economic40 and
industrial espionage41 (or theft of trade secrets) financially burden U.S. companies that lose
valuable intellectual property and incur costs in remediating the damage from the theft.

The use of technology for these purposes is nothing new; spying in cyberspace is a criminal
activity as it is in other domains. However, the tools used to conduct cyber spying can be the
same as those used to commit a host of disruptive or destructive acts that could range from online
activism to criminal activity, and conceivably even an act of war.

     •    Consider the reported hacking of computer systems used in the design of the U.S.
          military’s multipurpose fighter jet, the Joint Strike Fighter.42 In some ways, this
          represents a typical case of industrial espionage in which plans for a company’s
          product are illegally obtained and replicated. However, as a military platform it is
          difficult to ascertain whether its computerized operating systems were hacked in
          order to understand and replicate them or to plant malicious software that could
          conduct military surveillance, or potentially disrupt or destroy the platform’s
          ability to function. Complicating this is the lack of clear attribution for the
          perpetrators. Although the security breach appeared to have origins in China,
          without an understanding of whether it was sponsored by a foreign government
          or military, it is difficult to categorize whether the hacking was merely a criminal

39
   Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace:
Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011, p. i.
40
   18 U.S.C. §1831. Economic espionage is “(a) In General—Whoever, intending or knowing that the offense will
benefit any foreign government, foreign instrumentality, or foreign agent, knowingly – (1) steals, or without
authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys,
photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret; (3) receives, buys, or
possesses a trade secret, knowing the same to have been stolen or appropriated, obtained, or converted without
authorization; (4) attempts to commit any offense described in any of paragraphs (1) through (3); or (5) conspires with
one or more other persons to commit any offense described in any of paragraphs (1) through (3), and one or more of
such persons do any act to effect the object of the conspiracy.”
41
   18 U.S.C. §1832. Theft of trade secrets is when an individual “knowingly – (1) steals, or without authorization
appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information; (2) without
authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies,
replicates, transmits, delivers, sends, mails, communicates, or conveys such information; (3) receives, buys, or
possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without
authorization; (4) attempts to commit any offense described in paragraphs (1) through (3); or (5) conspires with one or
more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do
any act to effect the object of the conspiracy.”
42
   First reported in The Wall Street Journal, Siobhan Gorban, August Cole, and Yochi Dreazen, Computer Spies Breach
Fighter Jet Program, April 21, 2009.

Congressional Research Service                                                                                           9

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

activity or part of what could be considered an economic espionage campaign.43
For its part, officials from the People’s Republic of China have denied
responsibility, stating that all forms of computer hacking are illegal in China, and
that the government has difficulty in controlling computer crime within its own
borders.

Cyber Warfare
Three international incidents involving Estonia, Georgia, and Iran have influenced discussions of
what distinguishes cyber warfare from related cyber threats. In 2007, a series of distributed denial
of service (DDOS) attacks were launched on Estonian websites and networked services. Although
it appeared that the attacks may have come from Russia, some of the IP addresses involved were
traced to ethnic Russians living within Estonian borders.44 Without a definition of what
constitutes an “armed attack” in cyberspace and where territorial boundaries exist, and without
attribution to a nation state, some considered the Estonian cyber attacks to be more of a cyber riot
than a war. Some considered it the electronic equivalent to a real world sit-in, in that traffic to
particular sites was analogously slowed down or blocked by organized citizens wishing to make a
political statement or influence events. Others have likened it to a form of cyber terrorism,
another term for which no consensus definition exists.45 Ultimately, although various groups have
claimed credit for the attacks, investigations led to only one conviction in an Estonian criminal
court of an ethnic Russian student.

Soon after the Estonian incident, there was a series of strategic cyber attacks that disabled
Georgian command and control systems in 2008. This coincided with a Russian military
incursion across the Georgian border. As the cyber disruption occurred simultaneously with a
kinetic event, some considered this to be a form of network warfare. Some questioned whether
this disruption was an act of cyber warfare by the Russians or a separate cyber threat.
Investigations later determined that the attacks began with online Russian hacking forums, who
distributed lists of Georgian Internet sites as targets.

In July 2010, a malicious software worm called Stuxnet attacked the operations of nuclear
centrifuges in Iran.46 Some assumed that only a nation state or states would have the intelligence
apparatus and testing beds necessary to develop and deploy this malware. In addition, as the
worm was designed to target and destroy particular systems without any financial or intelligence
gain, Stuxnet may be considered a form of cyber weaponry rather than a different form of cyber
threat such as cyber espionage or cybercrime.

43
“Moonlight Maze” and “Titan Rain” are examples of cyber campaigns conducted against unclassified Department of
Defense targets and directed by other governments. Probes may be used to test network defenses as well as to extract
sensitive information, and may coincide with a country’s interest in weakening U.S. command and control systems.
44
For a country so wired that it is colloquially known as E-stonia, the attacks had such a crippling effect that Estonian
government officials considered it a national security crisis. At the time, Estonia appealed to the Russian government
for help under a Mutual Legal Assistance treaty, but was denied.
45
For information on terrorist use of the Internet, see CRS Report R41674, Terrorist Use of the Internet: Information
Operations in Cyberspace, by Catherine A. Theohary and John W. Rollins.
46
See CRS Report R41524, The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability, by Paul K.
Kerr, John W. Rollins, and Catherine A. Theohary.

Congressional Research Service 10

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

Who: Attribution
The preceding section suggests that blurry lines between various types of malicious activity in
cyberspace may make it difficult for investigators to attribute an incident to a specific individual
or organization. Criminal attribution is a key delineating factor between cybercrime and other
cyber threats. When investigating a given threat, law enforcement is challenged with tracing the
action to its source and determining whether the actor is a criminal or whether the actor may be a
terrorist or state actor posing a potentially greater national security threat.

Take, for example, the July–September 2011 attacks on private companies primarily involved in
the chemical industry. In what has been dubbed the “Nitro” attacks, hackers sent phony emails to
members of Fortune 100 companies, businesses developing advanced materials for military
vehicles, and companies developing manufacturing infrastructure for the chemical industry.47 The
emails contained attachments with a malicious Trojan48 called PoisonIvy, which ultimately
allowed hackers access to other computers in the company workgroup as well as to needed
passwords. They could then navigate to the targeted intellectual property, copy the content, and
upload the information to servers external to the compromised organization. Because the
victimized companies were involved in the research, development, and manufacture of chemicals
and advanced materials, it may have initially been unclear whether the attacker was a terrorist
attempting to procure chemicals or a hacker seeking corporate secrets. According to Symantec,
the purpose of the attacks was likely industrial espionage, and the attackers appear to have been
seeking intellectual property, including design documents, formulas, and manufacturing
processes, for competitive advantage. The source of the attack was identified as a computer
system owned by an individual—dubbed Covert Grove—in China.49

The attribution issue is highlighted in the November 2014 revelation of a breach at Sony Pictures
Entertainment (SPE) by actors known as the “Guardians of Peace.” The FBI, in its investigation
of the breach, notes that it “consisted of the deployment of destructive malware and the theft of
proprietary information as well as employees’ personally identifiable information and confidential
communications. The attacks also rendered thousands of SPE’s computers inoperable, forced SPE
to take its entire computer network offline, and significantly disrupted the company’s business
operations.”50 There has been debate among officials, scholars, reporters, and others about the
true source of the breach. As of December 2014, the FBI—leading an interagency effort—had
attributed the hack to North Korea. In its attribution, the FBI cites malware linked “to other
malware that the FBI knows North Korean actors previously developed,” “significant overlap
between the infrastructure used in this attack and other malicious cyber activity the U.S.
government has previously linked directly to North Korea,” and tools similar to those used in a

47
   Eric Chien and Gavin O'Gorman, The Nitro Attacks: Stealing Secrets from the Chemical Industry, Symantec Security
Response, 2011, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
the_nitro_attacks.pdf.
48
   A Trojan is a type of malware. It is a type of software that, once activated, can damage the host and provide back
doors for malicious users to access the computer system. For more information on the various types of malware, see
Cisco, What Is the Difference: Viruses, Worms, Trojans, and Bots?, http://www.cisco.com/web/about/security/
intelligence/virus-worm-diffs.html.
49
   Eric Chien and Gavin O'Gorman, The Nitro Attacks: Stealing Secrets from the Chemical Industry, Symantec Security
Response, 2011, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
the_nitro_attacks.pdf.
50
   Federal Bureau of Investigation, “Update on Sony Investigation,” press release, December 19, 2014.

Congressional Research Service                                                                                    11

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

2013 North Korean cyber attack against South Korean banks and media outlets.51 Nonetheless,
experts critical of this attribution note that the evidence linking North Korea to the SPE breach is
not definitive.52

Attribution continues to be a challenge in identifying both public security and national security
threats. In the 2012 Worldwide Threat Assessment of the U.S. Intelligence Community, James
Clapper, Director of National Intelligence noted the challenges in cyber actor attribution. More
specifically, he noted that

         [t]wo of our greatest strategic challenges regarding cyber threats are: (1) the difficulty of
         providing timely, actionable warning of cyber threats and incidents, such as identifying past
         or present security breaches, definitively attributing them [emphasis added], and accurately
         distinguishing between cyber espionage intrusions and potentially disruptive cyber attacks;
         and (2) the highly complex vulnerabilities associated with the IT supply chain for US
         networks.53

The FBI, for one, has bolstered its efforts to better attribute cyber threats to specific sources and
motives. Through the Next Generation Cyber Initiative, the FBI is developing agents to connect
with critical infrastructure components and computer scientists to “extract hackers’ digital
signatures” and determine their identities, all to help concretely attribute a specific malicious
actor to a particular cyber incident.54 Similarly, the Department of Defense has reportedly “made
significant investments in forensics to address this problem of attribution.”55

Attribution, however, may be more important for government and law enforcement than for
private sector organizations. Law enforcement, through their investigations, may strive for
attribution so that the actual perpetrator may be prosecuted. Industry organizations, however, may
be less concerned and may focus more on damage control and prevention—regardless of the actor
or his motivations.56

Case Study: Anonymous
The online collective known as “Anonymous” is a decentralized group operating in cyberspace.
While scholars, theorists, law enforcement, and policy makers may not always agree on how to
conceptualize or categorize the Anonymous entity, it is generally agreed that it operates with two

51
   Federal Bureau of Investigation, “Update on Sony Investigation,” press release, December 19, 2014.
52
   See, for example, Andy Greenberg, “FBI Director: Sony’s ‘Sloppy’ North Korean Hackers Revealed Their IP
Addresses,” Wired: Threat Level, January 7, 2015; Pierluigi Paganini, “Sony Pictures Hack: Is North Korea Innocent or
Guilty?,” InfoSec Institute, January 11, 2015; and Michael Sexton, “Accurately Attributing the Sony Hack is More
Important than Retaliating,” Georgetown Security Studies Review, January 13, 2015.
53
   Office of the Director of National Intelligence, Unclassified Statement for the Record on the Worldwide Threat
Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, January 31, 2012, p. 8.
54
   Federal Bureau of Investigation, “Cyber Security: Focusing on Hackers and Intrusions,” press release, October 26,
2012, https://www.fbi.gov/news/stories/2012/october/cyber-division-focusing-on-hackers-and-intrusions/cyber-
division-focusing-on-hackers-and-intrusions.
55
   U.S. Department of Defense, “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for
National Security, New York City,” news transcript, October 11, 2012.
56
   Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace:
Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011, p. 1.

Congressional Research Service                                                                                    12

You can also read